Re: document.write() and .close() allowed on IFRAME though its document.domain was set

On 11/21/11 4:09 PM, Hallvord R. M. Steen wrote:
> I know Opera has had (and still has) some security checks in DOM that
> other browsers do not have - but here we're looking up 'contentDocument'
> on 'iframe', and that certainly must be subject to security checks in
> all UAs, right?

In at least the case of Gecko, about:blank iframes have the same origin 
_object_ as the page that loaded them.

That is, when document.domain is set on that iframe, it changes the 
document.domain of the page that loaded it as well (or more precisely, 
changes the single object that both documents have pointers to and which 
represents the origin of the outer page).

Arguably the Gecko behavior here is sort of buggy....

> This currently causes a problem on eBay. Do we need to fix HTML5 to
> align with Chrome/Firefox?

It would be good to understand why it works in WebKit; I didn't think 
they did the same "share the origin object" thing Gecko does here.

-Boris

Received on Monday, 21 November 2011 22:34:22 UTC